N&ST cast its NERC Registered Ballot Body ballot (Segment 8) against the new version of CIP-005. Here are the comments submitted with the Negative ballot:
N&ST suggests revising R6.1 to allow certain remote systems to access Cyber Assets within an ESP directly when all of the following conditions are true: (a) The remote system is controlled by the same Responsible Entity as the Cyber Assets within the ESP. (b) There is an operational requirement for direct access. Some activities, such as patching and vulnerability assessments, may be difficult or impossible via an intermediate system. The Responsible Entity should be required to document the operational requirement that makes direct connection necessary. (c) The remote system meets the requirements of R6.5.1, R6.5.2, and R6.5.3.
N&ST considers account management Requirements 6.3.1 and 6.3.2 to be redundant and already addressed by existing CIP-005-3 requirement R2.5 (renumbered to R2.4 in proposed CIP-005-4), as well as by CIP-004 Requirement R4. They should be eliminated.
N&ST also considers Requirement R6.3.3 largely addressed by the existing CIP-005 requirement for Cyber Vulnerability Assessment (R4). It should either be eliminated entirely, or any of its provisions that are unique to remote access (such as encryption or 2-factor authentication) should be appended to existing CIP-005 Requirement R4.
N&ST does believe requirements R6.5.1, R6.5.2, and R6.5.3 can and should be applied to remote systems with direct access to systems within the ESP. However, we believe they should not be applied to indirectly connected systems that are under the Responsible Entity's control. We also believe that NONE of requirements R6.5.1 through R6.5.4 should apply to remote systems that are NOT under the Responsible Entity's control or are not used to connect to the ESP. This recommendation is based on our belief that as written the requirements are unenforceable and cannot be audited. A signed and dated acknowledgement form would, in our opinion, prove nothing.